commit 6db33dc1eb5408c5535d7cf35d5d4c86ef00978d Author: Danny Rawlins <monster.romster@gmail.com> Date: Fri Nov 21 22:32:14 2014 +1100 denyhosts: 2.6 -> 2.9 diff --git a/denyhosts/.footprint b/denyhosts/.footprint index f6df45a..422af98 100644 --- a/denyhosts/.footprint +++ b/denyhosts/.footprint @@ -2,14 +2,12 @@ drwxr-xr-x root/root etc/ drwxr-xr-x root/root etc/denyhosts/ -rw-r--r-- root/root etc/denyhosts/denyhosts.conf drwxr-xr-x root/root etc/rc.d/ -lrwxrwxrwx root/root etc/rc.d/denyhosts -> /usr/share/denyhosts/daemon-control +-rwxr-xr-x root/root etc/rc.d/denyhosts drwxr-xr-x root/root usr/ -drwxr-xr-x root/root usr/bin/ --rwxr-xr-x root/root usr/bin/denyhosts drwxr-xr-x root/root usr/lib/ drwxr-xr-x root/root usr/lib/python2.7/ drwxr-xr-x root/root usr/lib/python2.7/site-packages/ --rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts-2.6-py2.7.egg-info +-rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHost-2.9-py2.7.egg-info drwxr-xr-x root/root usr/lib/python2.7/site-packages/DenyHosts/ -rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/__init__.py -rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/__init__.pyc @@ -53,16 +51,8 @@ drwxr-xr-x root/root usr/lib/python2.7/site-packages/DenyHosts/ -rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/util.pyc -rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/version.py -rw-r--r-- root/root usr/lib/python2.7/site-packages/DenyHosts/version.pyc -drwxr-xr-x root/root usr/share/ -drwxr-xr-x root/root usr/share/denyhosts/ --rwx------ root/root usr/share/denyhosts/daemon-control -drwxr-xr-x root/root usr/share/denyhosts/plugins/ --rw-r--r-- root/root usr/share/denyhosts/plugins/shorewall_allow.sh --rw-r--r-- root/root usr/share/denyhosts/plugins/shorewall_deny.sh --rwxr-xr-x root/root usr/share/denyhosts/plugins/test_deny.py -drwxr-xr-x root/root usr/share/denyhosts/scripts/ --rwxr-xr-x root/root usr/share/denyhosts/scripts/restricted_from_invalid.py --rwxr-xr-x root/root usr/share/denyhosts/scripts/restricted_from_passwd.py --rw-r--r-- root/root usr/share/denyhosts/setup.py -drwxr-xr-x root/root var/ -drwxr-xr-x root/root var/log/ +drwxr-xr-x root/root usr/man/ +drwxr-xr-x root/root usr/man/man8/ +-rw-r--r-- root/root usr/man/man8/denyhosts.8.gz +drwxr-xr-x root/root usr/sbin/ +-rwxr-xr-x root/root usr/sbin/denyhosts diff --git a/denyhosts/.md5sum b/denyhosts/.md5sum index 74ae689..d5b5601 100644 --- a/denyhosts/.md5sum +++ b/denyhosts/.md5sum @@ -1,6 +1 @@ -fc2365305a9402886a2b0173d1beb7df DenyHosts-2.6.tar.gz -a0abe102add4420e766cc90d0709f425 denyhosts-2.6-config.patch -67e0d788356f9f7183c217a2eae71bf1 denyhosts-2.6-cve-2013-6890.patch -79abdfcd7ce0859f2f3f134598a89209 denyhosts-2.6-log-injection-regex.patch -6ed4e279640b8a5c0c04dd4193ac15e2 denyhosts-2.6-plugin_deny.patch -dfd91828e48d97af2e77e009c67c4754 denyhosts-2.6-single_config_switch.patch +2c1d82799e43676db667c447959d9d97 denyhosts-2.9.tar.gz diff --git a/denyhosts/Pkgfile b/denyhosts/Pkgfile index 6e9dfe8..6c7f624 100644 --- a/denyhosts/Pkgfile +++ b/denyhosts/Pkgfile @@ -1,46 +1,34 @@ # Description: DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks. -# URL: http://denyhosts.sourceforge.net/ +# URL: http://denyhost.sourceforge.net/ # Maintainer: Danny Rawlins, crux at romster dot me # Packager: Danny Rawlins, crux at romster dot me # Depends on: python name=denyhosts -version=2.6 -release=2 -source=(http://downloads.sourceforge.net/project/$name/$name/$version/DenyHosts-$ver... - denyhosts-$version-config.patch - denyhosts-2.6-cve-2013-6890.patch - denyhosts-2.6-log-injection-regex.patch - denyhosts-2.6-single_config_switch.patch - denyhosts-2.6-plugin_deny.patch) +version=2.9 +release=1 +source=(http://downloads.sourceforge.net/project/denyhost/denyhost-$version/$name-$v...) build() { cd DenyHosts-$version - patch -p0 -i $SRC/$name-$version-config.patch - patch -p1 -i $SRC/denyhosts-2.6-log-injection-regex.patch - patch -p1 -i $SRC/denyhosts-2.6-single_config_switch.patch - patch -p1 -i $SRC/denyhosts-2.6-plugin_deny.patch - patch -p1 -i $SRC/denyhosts-2.6-cve-2013-6890.patch - /usr/bin/python setup.py install --root=$PKG - rm $PKG/usr/share/denyhosts/*.txt - - install -d \ - $PKG/etc/ \ - $PKG/etc/{denyhosts,rc.d} \ - $PKG/var/log + install -d $PKG/etc/{denyhosts,rc.d} $PKG/usr/sbin - mv $PKG/usr/share/denyhosts/denyhosts.cfg-dist \ + mv $PKG/etc/denyhosts.conf \ $PKG/etc/denyhosts/denyhosts.conf - mv $PKG/usr/share/denyhosts/daemon-control-dist \ - $PKG/usr/share/denyhosts/daemon-control - - chmod 700 $PKG/usr/share/denyhosts/daemon-control + mv $PKG/usr/bin/daemon-control-dist \ + $PKG/etc/rc.d/denyhosts - ln -s /usr/share/denyhosts/daemon-control $PKG/etc/rc.d/denyhosts - rm $PKG/usr/share/denyhosts/plugins/README.contrib - mv $PKG/usr/bin/denyhosts.py $PKG/usr/bin/denyhosts + mv $PKG/usr/bin/denyhosts.py $PKG/usr/sbin/denyhosts + mv $PKG/usr/share/man $PKG/usr/man + + rmdir $PKG/usr/share $PKG/usr/bin + + sed -i \ + -e 's|^DENYHOSTS_LOCK = .*|DENYHOSTS_LOCK = "/var/run/denyhosts.pid"|' \ + -e 's|^DENYHOSTS_CFG = .*|DENYHOSTS_CFG = "/etc/denyhosts/denyhosts.conf"|' \ + $PKG/etc/rc.d/denyhosts } diff --git a/denyhosts/README b/denyhosts/README index b00c75e..c2c706b 100644 --- a/denyhosts/README +++ b/denyhosts/README @@ -23,11 +23,12 @@ NOTES: To protect sshd. -Edit /etc/hosts.allow and comment out everyting, everything will have access by default. +Edit /etc/hosts.allow and comment out everything, everything will have access by default. Edit /etc/hosts.deny and comment out the "ALL: ALL: DENY" part, also the "#End of file" bit will be useless as denyhosts appends to the file. -(note the config in inetd.conf dosn't seem to be right or needed? see messages apon boot up, any corections email me :) ) +(note the config in inetd.conf doesn't seem to be right or needed? see +messages upon boot up, any corrections email me :) ) -Danny Rawlins, <romster at shortcircuit dot net dot au +Danny Rawlins, <contact at romster dot me diff --git a/denyhosts/denyhosts-2.6-config.patch b/denyhosts/denyhosts-2.6-config.patch deleted file mode 100644 index 68de8a4..0000000 --- a/denyhosts/denyhosts-2.6-config.patch +++ /dev/null @@ -1,43 +0,0 @@ ---- daemon-control-dist~ 2006-04-22 09:04:43.000000000 +1000 -+++ daemon-control-dist 2007-01-03 01:47:12.000000000 +1100 -@@ -11,9 +11,9 @@ - #### Edit these to suit your configuration #### - ############################################### - --DENYHOSTS_BIN = "/usr/bin/denyhosts.py" --DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts" --DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg" -+DENYHOSTS_BIN = "/usr/bin/denyhosts" -+DENYHOSTS_LOCK = "/var/run/denyhosts.pid" -+DENYHOSTS_CFG = "/etc/denyhosts/denyhosts.conf" - - PYTHON_BIN = "/usr/bin/env python" - ---- denyhosts.cfg-dist~ 2006-08-21 00:09:57.000000000 +1000 -+++ denyhosts.cfg-dist 2007-01-03 01:44:25.000000000 +1100 -@@ -8,8 +8,11 @@ - # The file to process can be overridden with the --file command line - # argument - # -+# CRUX -+SECURE_LOG = /var/log/auth -+# - # Redhat or Fedora Core: --SECURE_LOG = /var/log/secure -+#SECURE_LOG = /var/log/secure - # - # Mandrake, FreeBSD or OpenBSD: - #SECURE_LOG = /var/log/auth.log -@@ -191,8 +194,11 @@ - # and deleted upon exit. This ensures that only one instance is - # running at a time. - # -+# CRUX -+LOCK_FILE = /var/run/denyhosts.pid -+# - # Redhat/Fedora: --LOCK_FILE = /var/lock/subsys/denyhosts -+#LOCK_FILE = /var/lock/subsys/denyhosts - # - # Debian - #LOCK_FILE = /var/run/denyhosts.pid diff --git a/denyhosts/denyhosts-2.6-cve-2013-6890.patch b/denyhosts/denyhosts-2.6-cve-2013-6890.patch deleted file mode 100644 index 3065d5e..0000000 --- a/denyhosts/denyhosts-2.6-cve-2013-6890.patch +++ /dev/null @@ -1,60 +0,0 @@ -Subject: address remote denial of service CVE-2013-6890 -From: Helmut Grohne <helmut () subdivi de> - -ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21 - -results in a log lines - -sshd[123]: Invalid user Invalid user root from 123.123.123.123 from 21.21.21.21 -sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth] -sshd[123]: Connection closed by 21.21.21.21 [preauth] - -and causes denyhosts to block both ips 21.21.21.21 and 123.123.123.123. - -This patch tightens the regular expressions used to avoid these and similar -injections. - -Index: denyhosts-2.6/DenyHosts/regex.py -=================================================================== ---- denyhosts-2.6.orig/DenyHosts/regex.py 2013-12-22 11:54:42.000000000 +0100 -+++ denyhosts-2.6/DenyHosts/regex.py 2013-12-22 11:55:05.000000000 +0100 -@@ -6,22 +6,22 @@ - - #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""") - --SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""") -+SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""") - #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""") - --FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - --FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - --FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+FAILED_ENTRY_REGEX3 = None - --FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") -+FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""") - --FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""") -+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""") - --FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - --FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") -+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""") - - - # these are reserved for future versions -@@ -42,7 +42,7 @@ - FAILED_ENTRY_REGEX_MAP[i] = rx - - --SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - - TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""") - diff --git a/denyhosts/denyhosts-2.6-log-injection-regex.patch b/denyhosts/denyhosts-2.6-log-injection-regex.patch deleted file mode 100644 index c6fc205..0000000 --- a/denyhosts/denyhosts-2.6-log-injection-regex.patch +++ /dev/null @@ -1,21 +0,0 @@ -Address Log injection reported at - -http://bugs.gentoo.org/show_bug.cgi?id=181213 - -diff -ur a/DenyHosts/regex.py b/DenyHosts/regex.py ---- a/DenyHosts/regex.py 2006-12-07 13:47:04.000000000 -0600 -+++ b/DenyHosts/regex.py 2007-06-19 18:51:54.000000000 -0500 -@@ -17,11 +17,11 @@ - - FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") - --FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""") -+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""") - - FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") - --FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""") -+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") - - - # these are reserved for future versions diff --git a/denyhosts/denyhosts-2.6-plugin_deny.patch b/denyhosts/denyhosts-2.6-plugin_deny.patch deleted file mode 100644 index 74868e7..0000000 --- a/denyhosts/denyhosts-2.6-plugin_deny.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Marco Bertorello <marco@bertorello.ns0.it> -Date: Thu, 14 Apr 2011 00:11:35 +0200 -Subject: 09_plugin_deny - -Correct the upstream bug http://sourceforge.net/tracker/index.php?func=detail&aid=1734736&group_id=131204&atid=720419 ---- - DenyHosts/deny_hosts.py | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/DenyHosts/deny_hosts.py b/DenyHosts/deny_hosts.py -index f308264..0f5f48d 100644 ---- a/DenyHosts/deny_hosts.py -+++ b/DenyHosts/deny_hosts.py -@@ -443,7 +443,7 @@ allowed based on your %s file""" % (self.__prefs.get("HOSTS_DENY"), - self.__report.add_section(msg, new_denied_hosts) - if self.__sync_server: self.sync_add_hosts(new_denied_hosts) - plugin_deny = self.__prefs.get('PLUGIN_DENY') -- if plugin_deny: plugin.execute(plugin_deny, deny_hosts) -+ if plugin_deny: plugin.execute(plugin_deny, new_denied_hosts) - - new_suspicious_logins = login_attempt.get_new_suspicious_logins() - if new_suspicious_logins: --- diff --git a/denyhosts/denyhosts-2.6-single_config_switch.patch b/denyhosts/denyhosts-2.6-single_config_switch.patch deleted file mode 100644 index cb39df9..0000000 --- a/denyhosts/denyhosts-2.6-single_config_switch.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Marco Bertorello <marco@bertorello.ns0.it> -Date: Thu, 14 Apr 2011 00:11:35 +0200 -Subject: 11_single_config_switch - -A patch to prevent denyhosts running with a double --config switch ---- - daemon-control-dist | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/daemon-control-dist b/daemon-control-dist -index 9f42b60..14d0f70 100755 ---- a/daemon-control-dist -+++ b/daemon-control-dist -@@ -144,7 +144,8 @@ if __name__ == '__main__': - - try: - if option in ('start', 'restart', 'condrestart'): -- if '--config' not in args and '-c' not in args: -+ anystartswith = lambda prefix, xs: any(map(lambda x: x.startswith(prefix), xs)) -+ if not anystartswith('--config', args) and '-c' not in args: - args.append("--config=%s" % DENYHOSTS_CFG) - - cmd = cases[option] ---